(#149) Switch to only signing when required

[gep13]

Description Of Changes

This commit addresses this need by changing the DAG to use a new Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts task. The latter is still available to call directly, when required, but only when a valid certificate is in place.

Supporting parameters and build directories have been created, to allow control over what the tasks due, including the ability to skip the verification step, using the --shouldVerifyPowerShellScripts command line argument.

A new verify-powershell.ps1 file has been added to check the list of incoming files, and the sign-powershell.ps1 has been updated to only sign when the current signature is invalid. To aid with getting the signed files added to back into the repository, the signed files are uploaded as artifacts of the build.

Motivation and Context

We don't want to sign files when we don't need to. Going forward, PowerShell scripts are going to be signed when they are committed to the repository and only re-signed when required.

Testing

This will be a tricky one to test 😢

This will need to be tested in conjunction with this PR, and also in conjunction with a new build configuration for calling the updated Sign-PowerShellScripts task.

Happy to jump on a quick call to discuss further.

Operating Systems Testing

N/A

Change Types Made

• [ ] Bug fix (non-breaking change).
• [x] Feature / Enhancement (non-breaking change).
• [ ] Breaking change (fix or feature that could cause existing functionality to change).
• [ ] Documentation changes.
• [ ] PowerShell code changes.

Change Checklist

• [ ] Requires a change to the documentation.
• [ ] Documentation has been updated.
• [ ] Tests to cover my changes, have been added.
• [ ] All new and existing tests passed?
• [ ] PowerShell code changes: PowerShell v2 compatibility checked?

Related Issue

Fixes #149

[Windos]

Thanks for getting this in, @gep13!